Navigate

CCI-004057

CCI-004057 Definition

Defines the frequency for updating commonly used, expected, or compromised passwords, when they are suspected of being compromised directly or indirectly.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if for password-based authentication, a list of commonly used, expected, or compromised passwords is maintained and updated [IA-05(01)_ODP[01]; the frequency at which to update the list of commonly used, expected, or compromised passwords is defined] and when Organizational passwords are suspected to have been compromised directly or indirectly.

Validation Procedures

Examine: [SELECT FROM: Identification and authentication policy; password policy; procedures addressing authenticator management; system security plan; system design documentation; system configuration settings and associated documentation; password configurations and associated documentation; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with authenticator management responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [SELECT FROM: Mechanisms supporting and/or implementing password-based authenticator management capability].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-004057.

Control	Description
IA-5(1)	For password-based authentication: (a): Maintain a list of commonly-used, expected, or compromised passwords and update the list [the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;] and when organizational passwords are suspected to have been compromised directly or indirectly; (b): Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a); (c): Transmit passwords only over cryptographically-protected channels; (d): Store passwords using an approved salted key derivation function, preferably using a keyed hash; (e): Require immediate selection of a new password upon account recovery; (f): Allow user selection of long passwords and passphrases, including spaces and all printable characters; (g): Employ automated tools to assist the user in selecting strong password authenticators; and (h): Enforce the following composition and complexity rules: [authenticator composition and complexity rules are defined;].

Control

Description

IA-5(1)

For password-based authentication:

(a): Maintain a list of commonly-used, expected, or compromised passwords and update the list [the frequency at which to update the list of commonly used, expected, or compromised passwords is defined;] and when organizational passwords are suspected to have been compromised directly or indirectly;

(b): Verify, when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5(1)(a);

(c): Transmit passwords only over cryptographically-protected channels;

(d): Store passwords using an approved salted key derivation function, preferably using a keyed hash;

(e): Require immediate selection of a new password upon account recovery;

(f): Allow user selection of long passwords and passphrases, including spaces and all printable characters;

(g): Employ automated tools to assist the user in selecting strong password authenticators; and

(h): Enforce the following composition and complexity rules: [authenticator composition and complexity rules are defined;].